Security policy editor

ABSTRACT

A shared computing infrastructure has associated therewith a portal application through which users access the infrastructure and provision one or more services, such as content storage and delivery. The portal comprises a security policy editor, a web-based configuration tool that is intended for use by customers to generate and apply security policies to their media content. The security policy editor provides the user the ability to create and manage security policies, to assign policies so created to desired media content and/or player components, and to view information regarding all of the customer&#39;s current policy assignments. The editor provides a unified interface to configure all media security services that are available to the CDN customer from a single interface, and to enable the configured security features to be promptly propagated and enforced throughout the overlay network infrastructure. The editor advantageously enables security features to be configured independently of a delivery configuration.

BACKGROUND OF THE INVENTION Technical Field

This application relates generally to management of content in a sharedinfrastructure.

Brief Description of the Related Art

Distributed computer systems are well-known in the prior art. One suchdistributed computer system is an overlay network that is operated andmanaged by a service provider. A commercial overlay network is sometimesreferred to as a “content delivery network” or CDN. The service providertypically provides the content delivery service on behalf of thirdparties (customers) who use the service provider's infrastructure. Adistributed system of this type typically refers to a collection ofautonomous computers linked by a network or networks, together with thesoftware, systems, protocols and techniques designed to facilitatevarious services, such as content delivery, web applicationacceleration, or other support of outsourced origin site infrastructure.A CDN service provider typically provides service delivery throughdigital properties (such as a website), which are provisioned in acustomer portal and then deployed to the network. A digital propertytypically is bound to one or more edge configurations that allow theservice provider to account for traffic and bill its customer.

While content delivery networks such as described above providesignificant advantages, typically they include dedicated platforms tosupport delivery of content for multiple third party runtimeenvironments that are, in turn, based on their own proprietarytechnologies, media servers, and protocols. These distinct platforms arecostly to implement and to maintain, especially globally and at scale asthe number of end users increases. Moreover, at the same time, contentproviders (such as large-scale broadcasters, film distributors, and thelike) desire their content to be delivered online in a manner thatcomplements traditional mediums such as broadcast TV (including highdefinition or “HD” television) and DVD. This content may also beprovided at different bit rates. End users also desire to interact withthe content as they can do now with traditional DVR-based contentdelivered over satellite or cable. A further complication is thatInternet-based content delivery is no longer limited to fixed lineenvironments such as the desktop, as more and more end users now usemobile devices such as the Apple® iPhone® to receive and view contentover mobile environments.

It is also known to provide an integrated content delivery networkplatform with the ability to deliver online content (such as HD-qualityvideo) at broadcast audience scale to the most popular runtimeenvironments (such as Adobe® Flash®, Microsoft® Silveright®, etc.) aswell as to mobile devices such as the iPhone to match what viewersexpect from traditional broadcast TV. The techniques described in U.S.Publication No. 2011/0296048, the disclosure of which is incorporatedherein by reference, address this problem. The approach described thereprovides an integrated HTTP-based delivery platform that provides forthe delivery online of HD-video quality content to the most popularruntime environments and to the latest devices in both fixed line andmobile environments. The platform supports delivery of both “live” and“on-demand” content. The techniques described therein are sometimesreferred to herein as the HD Network™.

As noted above, a content delivery network such as described abovetypically includes a customer portal. The customer portal is typicallyweb-based and configured as an extranet configuration application bywhich users authorized by a CDN customer access and provision theirservices. One such service is the storage and delivery of digitizedfiles, software, video, or other large objects. Customers who use theCDN shared infrastructure for this purpose typically require the abilityto manage their content files. As used herein, file management typicallyrefers to the ability to list, move, delete and upload files, as well asto create and remove directories in which the customer's content isstored. A CDN portal application (the “portal”) typically is implementedas a distributed, secure application comprising a web server-basedfront-end, one or more application servers, one or more databaseservers, a database, and other security, administrative and managementcomponents.

With the skyrocketing popularity of online audio and video, contentpublishers have an extraordinary opportunity to leverage the compelling,interactive medium that the Internet offers to reach greater audiencesand explore new business models. Because content piracy fundamentallythreatens the content provider's ability to monetize valuable assets, itmust protect its content from unauthorized use and redistribution.Beyond the requirements of the provider's own business model, theprovider may be further tasked with the challenge of enforcing securityand access control restrictions driven by outside content rightsholders.

Securing media assets is a complex issue, one that requires adefense-in-depth approach that employs different techniques to defendagainst different threats. In addition, content protection solutionsneed to strike the right balance between business and legalrequirements, end user experience, and cost.

There is a need for a simple-to-use, web-based interface that enablesconfiguration and application of various security services for mediacontent that is adapted to be delivered over a third partyinfrastructure.

BRIEF SUMMARY

A shared computing infrastructure has associated therewith a storagesystem, and a portal application through which portal users access theshared computing infrastructure and provision one or more services, suchas content storage and delivery. A representative shared computinginfrastructure is a content delivery network (CDN). According to thisdisclosure, the infrastructure includes a portal that comprises asecurity policy editor, a web-based configuration tool that is intendedfor use by customers to generate and apply security policies to theirmedia content. The security policy editor provides the user (e.g., a CDNcustomer administrator) the ability to create and manage securitypolicies, to assign policies so created to desired media content and/orplayer components, and to view information regarding all of thecustomer's current policy assignments. The editor provides a unifiedinterface to configure all media security services that are available tothe CDN customer from a single interface, and to enable the configuredsecurity features to be promptly propagated and enforced throughout theoverlay network infrastructure. The editor advantageously enablessecurity features to be configured independently of a deliveryconfiguration. This approach ensures that security policies are appliedin a consistent manner across all delivery formats being utilized by thecustomer.

To that end, and according to another aspect of this disclosure,security policy enforcement uses a bifurcated approach. In particular,the basic logic that is used to enforce a security feature (e.g., how toenforce a geo-targeting restriction, how to check an authenticationtoken, or the like depending on the feature) is encoded in (relatively)slow-changing metadata that is common to some (or even all) CDNcustomers. That metadata is provided to servers within the CDN at whichpolicy decisions are enforced. On the other hand, the actual details ofa customer's security policy (e.g., the list of countries against whichthe geo-targeting restriction is to be applied, a salt to be used tocheck the authentication token, product enablement data, etc., dependingon the feature) are stored separately and stitched back into theunderlying enforcement logic at runtime (i.e., at the time the securitypolicy needs to be enforced with respect to a particular resourcerequest). The security policy and its associated parameters arecustomer-specific and may be (relatively) fast-changing (as compared tothe underlying logic, which is more static). In one embodiment, thesecurity policy and parameters are encoded as an edge-side-include (ESI)fragment that is retrieved and executed in an edge server to enforce asecurity policy. In an alternative embodiment, the security policy andparameters are stored as a pre-compiled decision tree and retrievablefrom a secure, scalable database.

The foregoing has outlined some of the more pertinent features of thedisclosed subject matter. These features should be construed to bemerely illustrative. Many other beneficial results can be attained byapplying the disclosed subject matter in a different manner or bymodifying the subject matter as will be described.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the disclosed subject matter andthe advantages thereof, reference is now made to the followingdescriptions taken in conjunction with the accompanying drawings, inwhich:

FIG. 1 is a block diagram illustrating a known distributed computersystem configured as a content delivery network (CDN);

FIG. 2 is a representative CDN edge machine configuration;

FIG. 3 illustrates a representative security policy editor interface;

FIG. 4 illustrates a display tab in the security policy editor interfacefor policy assignment;

FIG. 5 illustrates a representative summary tab in the security policyeditor;

FIG. 6 illustrates a representative token authentication tab in theeditor;

FIG. 7 illustrates a representative content targeting tab in the editor;

FIG. 8 illustrates an IP access list option of the content targetingtab;

FIG. 9 illustrates a referrer checking option of the content targetingtab;

FIG. 10 illustrates a representative media encryption protection tab inthe editor;

FIG. 11 illustrates a representative player verification tab in theeditor; and

FIG. 12 illustrates a runtime request processing flow according to afirst embodiment.

DETAILED DESCRIPTION

FIG. 1 illustrates a known distributed computer system (a sharedinfrastructure) for storage of and delivery of content (digitized files)on behalf of customers of that shared infrastructure. As will bedescribed herein, the shared infrastructure includes a security policyeditor solution (referred to as the “Security Policy Editor (SPE)”) thatenables security features to be configured independently of deliveryoptions associated with the delivery of content from the sharedinfrastructure in multiple output formats. The security policy editorenables configuration of security settings (policies) that are then madeavailable (enforced) across all network configurations, regardless offormat.

As used herein, a “policy” (or a “security policy”) is a collection ofvalues that control the enforcement of a security feature/serviceprovided by the overlay network (or other cloud-based) service provider.A “configuration” refers to a customer's configuration for a particulardelivery product/service. A “pre-configured value selection” (PVS)refers to the concept of grouping one or more values into apre-configured policy that can be validated and applied across theoverlay network infrastructure reliably and quickly. With the PVSapproach, and as will be described, changes to any part of a securityconfiguration can be updated independently of the configurations thatreference it.

By way of background, in a known system, such as shown in FIG. 1, adistributed computer system 100 is configured as a CDN and is assumed tohave a set of machines 102 a-n distributed around the Internet.Typically, most of the machines are servers located near the edge of theInternet, i.e., at or adjacent end user access networks. A networkoperations command center (NOCC) 104 manages operations of the variousmachines in the system. Third party sites, such as web site 106, offloaddelivery of content (e.g., HTML, embedded page objects, streaming media,software downloads, and the like) to the distributed computer system 100and, in particular, to “edge” servers. Typically, content providersoffload their content delivery by aliasing (e.g., by a DNS CNAME) givencontent provider domains or sub-domains to domains that are managed bythe service provider's authoritative domain name service. End users thatdesire the content are directed to the distributed computer system toobtain that content more reliably and efficiently. Although not shown indetail, the distributed computer system may also include otherinfrastructure, such as a distributed data collection system 108 thatcollects usage and other data from the edge servers, aggregates thatdata across a region or set of regions, and passes that data to otherback-end systems 110, 112, 114 and 116 to facilitate monitoring,logging, alerts, billing, management and other operational andadministrative functions. Distributed network agents 118 monitor thenetwork as well as the server loads and provide network, traffic andload data to a DNS query handling mechanism 115, which is authoritativefor content domains being managed by the CDN. A distributed datatransport mechanism 120 may be used to distribute control information(e.g., metadata to manage content, to facilitate load balancing, and thelike) to the edge servers.

As illustrated in FIG. 2, a given machine 200 comprises commodityhardware (e.g., an Intel Pentium processor) 202 running an operatingsystem kernel (such as Linux or variant) 204 that supports one or moreapplications 206 a-n. To facilitate content delivery services, forexample, given machines typically run a set of applications, such as anHTTP proxy 207 (sometimes referred to as a “global host” or “ghost”process), a name server 208, a local monitoring process 210, adistributed data collection process 212, and the like. For streamingmedia, the machine also may include one or more media servers, such as aWindows Media Server (WMS) or Flash server, as required by the supportedmedia formats.

A CDN edge server is configured to provide one or more extended contentdelivery features, preferably on a domain-specific, customer-specificbasis, preferably using configuration files that are distributed to theedge servers using a configuration system. A given configuration filepreferably is XML-based and includes a set of content handling rules anddirectives that facilitate one or more advanced content handlingfeatures. The configuration file may be delivered to the CDN edge servervia the data transport mechanism. U.S. Pat. No. 7,111,057 illustrates auseful infrastructure for delivering and managing edge server contentcontrol information, and this and other edge server control informationcan be provisioned by the CDN service provider itself, or (via anextranet or the like) the content provider customer who operates theorigin server.

An edge server typically includes an edge-side-include (ESI) mechanism,such as described in U.S. Pat. No. 7,752,258. ESI is a simple markuplanguage used to define the business logic for how Web page componentsare dynamically assembled and delivered from the edge of the Internet.In the CDN context, ESI is used to provide a way for a content providerto express the business logic of how a CDN provider should assemble thecontent provider's pages. More generally, it provides a mechanism forassembling dynamic content transparently across application serversolutions, content management systems and other networks. It enables acontent provider to develop a Web application once and choose atdeployment time where the application should be assembled, e.g., on acontent management system, an application server, or the CDN, thusreducing complexity, development time and deployment costs. The ESIinclusion function enables the retrieval and including of files thatcomprise a web page, with each file subject to its own configuration andcontrol, namely, cacheability properties, refresh properties, and soforth.

The CDN includes or has associated therewith a storage subsystem, suchas described in U.S. Pat. No. 7,472,178, the disclosure of which isincorporated herein by reference. A representative storage site in thiscontext is a collection of one of more storage “regions,” typically inone physical location. In this subsystem, preferably content (e.g., acustomer's digital files) is replicated across storage sites.

The CDN also may operate a server cache hierarchy to provideintermediate caching of customer content; one such cache hierarchysubsystem is described in U.S. Pat. No. 7,376,716, the disclosure ofwhich is incorporated herein by reference.

The CDN may provide secure content delivery among a client browser, edgeserver and customer origin server in the manner described in U.S.Publication No. 20040093419. Secure content delivery as describedtherein enforces SSL-based links between the client and the edge serverprocess, on the one hand, and between the edge server process and anorigin server process, on the other hand. This enables an SSL-protectedweb page and/or components thereof to be delivered via the edge server.

As an overlay, the CDN resources may be used to facilitate wide areanetwork (WAN) acceleration services between enterprise data centers(which may be privately-managed) and third party software-as-a-service(SaaS) providers.

In a typical operation, a content provider identifies a content providerdomain or sub-domain that it desires to have served by the CDN. The CDNservice provider associates (e.g., via a canonical name, or CNAME) thecontent provider domain with an edge network (CDN) hostname, and the CDNprovider then provides that edge network hostname to the contentprovider. When a DNS query to the content provider domain or sub-domainis received at the content provider's domain name servers, those serversrespond by returning the edge network hostname. The edge networkhostname points to the CDN, and that edge network hostname is thenresolved through the CDN name service. To that end, the CDN name servicereturns one or more IP addresses. The requesting client browser thenmakes a content request (e.g., via HTTP or HTTPS) to an edge serverassociated with the IP address. The request includes a host header thatincludes the original content provider domain or sub-domain. Uponreceipt of the request with the host header, the edge server checks itsconfiguration file to determine whether the content domain or sub-domainrequested is actually being handled by the CDN. If so, the edge serverapplies its content handling rules and directives for that domain orsub-domain as specified in the configuration. These content handlingrules and directives may be located within an XML-based “metadata”configuration file.

As noted above, the CDN service provider provides a secure customerportal that is web-based and configured as an extranet configurationapplication. The portal is the usual way in which users authorized by aCDN customer access and provision their services. One such service isthe storage and delivery of digitized files, software, video, or otherlarge objects. Customers who use the CDN shared infrastructure for thispurpose typically require the ability to manage their content files. Asused herein, and as noted above, file management typically refers to theability to list, move, delete and upload files, as well as to create andremove directories in which the customer's content is stored. A CDNportal application (the “portal”) typically executes on one or moremachines, wherein a machine comprises hardware (CPU, disk, memory,network interfaces, other I/O), operating system software, applicationsand utilities. The portal typically is implemented as a distributed,secure application comprising a web server-based front-end, one or moreapplication servers, one or more database servers, a database, and othersecurity, administrative and management components.

An edge server process may need to contact an intermediate server toretrieve user information before going forward to an origin server. Anintermediate processing agent (IPA) may be used for this purpose. An IPArequest is an internal (within the CDN) request having a response thatmay be cacheable. Control over the IPA function may be implemented inedge server metadata.

For purposes of this disclosure, it is assumed that the CDN (or othercloud-based provider) provides an integrated HTTP-based deliveryplatform that provides for the delivery online of HD-video and audioquality content to popular runtime environments operating on multipletypes of client devices in both fixed line and mobile environments. Thecontent is available in multiple formats.

Security Policy Editor

With the above as background, the subject matter of this disclosure isnow described.

As described herein, the security policy editor application provides astreamlined, easy-to-use, web-based interface to the CDN for CDNcustomers. As noted above, the security policy editor enables anauthenticated and authorized user (associated with a CDN customer) tocreate a policy and configure one or more security services, and thenapply the policy to content to protect it.

For purposes of illustration only, it is assumed that the serviceprovider provides a suite of security services such as, withoutlimitation, token authorization (which is used to authorize an end userand prevent link sharing and/or media player hijacking), contenttargeting (which enables selection of client IP addresses and/or domainsto limit access to content), media encryption (which enables delivery ofcontent in an encrypted format to the media player runtime), playerverification (which enables validation of a media player against a listof approved players to detect player tampering and prevent deep linkingattacks, and the like. According to this disclosure, SPE is used tocreate a policy comprised of one or more of such protection servicesthat are then applied to a configuration of media. This configurationmay be generated using any convenient media provisioning tool orapplication.

According to another aspect of this disclosure, security policyenforcement uses a bifurcated approach. In particular, preferably thebasic logic that is used to enforce a security feature is encoded in(relatively) slow-changing metadata that is common to some (or even all)CDN customers. That metadata is provided to servers within the CDN atwhich policy decisions are enforced. On the other hand, the actualdetails of a customer's security policy are stored separately andstitched back into the underlying enforcement logic at runtime (i.e., atthe time the security policy needs to be enforced with respect to aparticular resource request). The security policy and its associatedparameters are customer-specific (or even more fine-grained) and may be(relatively) fast-changing (as compared to the underlying logic, whichis more static). A customer may have many of security policies, and eachsuch security policy may be as fine-grained as desired. In oneembodiment, as will be described below, the security policy andparameters are encoded as an edge-side-include (ESI) fragment that isretrieved and executed in an edge server to enforce a security policy.In an alternative embodiment, the security policy and parameters arestored and retrievable from a secure, scalable data storage system.

The portal application in general and the security policy editor inparticular may be implemented as a web-based interface, e.g., as a setof web pages that are available at a particular overlay network domain,together with the software functions and features described herein.

The following describes additional details of the security policy editorinterface and functionality. It is assumed that each individual securityservice available in SPE requires a specific permission for use, whichprovisions are established during provisioning of the customer account.Preferably, the one or more permission(s) that enable access to the oneor more security services are defined in an access control file. Thus,when a permitted user associated with a customer accesses SPE, onlythose security services that have been provisioned for that customer areexposed to the user. Upon permitted access to the portal, the end usernavigates to the UI and is presented with several display tabs (webpages), such as shown in FIG. 3. The Manage Policies tab is used tocreate and manage security policies. The Assign Policy tab is used toassign policies that have been created to desired media content and/orplayer components, in order to provide them with the securityconfigured. The Policy Assignments tab allows the user to viewinformation regarding all of the customer's current policy assignments.

Without intending to be limiting, the Manage Policies tab includes anumber of display elements. A Display <#> Policies drop-down enables theuser to select a maximum number of policies displayed per page. TheFilter Policies field enables a user to input a desired Policy Name. TheName column identifies the name given to the security policy duringcreation. In this example, there are several policy types. An Allow All(Preset)/Deny All (Preset) Policies appear by default. They are usedduring generation of a media configuration. The remaining example typesare Standard Policies, which refers to entries that are revealed as asingle, clickable name value. These represent current, valid policiesthat have been created using SPE. The Network column representsavailable instances of a policy/configuration relationship which, inthis example, are Staging and Production. These are merelyrepresentative. The Status column is the current status of each Networkinstance of the policy. The Enabled Features column is populated withthe protections that have been configured for each Network instance ofthe policy, such as TA (token authentication), ME (media encryption), PV(player verification) and CT (content targeting). Entries revealed withcheck marks indicate that this protection has been enabled in thepolicy. The Active Configuration(s) column includes values thatrepresent the number of active configurations to which the policy hasbeen assigned/promoted (i.e., based on the Network instance of thepolicy). The Actions column offers a gear icon for Network instance ofthe policy. When clicked, a menu of options is revealed that can be usedto interact with the policy (based on the Network instance). Thus, for aProduction network, the user can select an option to edit a staginginstance of the policy, clone a production instance of the policy, viewhistorical data pertaining to the production instance of the policy,delete the policy, and the like. For a Staging network, the user canselect an option to edit the policy, or to promote apolicy/configuration relationship from the staging network to theproduction network.

As noted above, the above-described security services (e.g., TA, ME, PVand CT) are not intended to be limiting. Other security servicesinclude, without limitation, digital watermarking, digital rightsmanagement, fraud detection, and other analytics services related tosecurity and firewall services.

Thus, FIG. 3, the initial SPE screen, shows a list of policies andsummary data.

Preferably, a media configuration file consisting of desired mediacontent/players is generated and available to the system. Oncegenerated, the configuration as defined is saved (e.g., as an individualXML file) that is available for selection in the SPE UI when performingpolicy creation.

The Policy Assignment process is implemented using the Assign Policytab. The user selects either Staging or Production (e.g., using a radiobutton), which navigates the user to a Policy Assignment tab as shown inFIG. 4. By default, Staging is a required setting when applying a newpolicy to a configuration. In particular, preferably apolicy/configuration relationship must first exist in the Stagingnetwork (e.g., for testing/verification purposes) prior to beingpromoted to the Production network. When the Production value selected,all options in the tab except the Configuration drop-down are hidden.This allows the user to select a specific configuration and view thesecurity policies that are currently associated with it (e.g., forreview purposes). From the Configuration drop-down, the user can selectthe appropriate configuration. In the Path/URL Wildcard field, the usercan input a path value that points to the content in the selectedconfiguration that is to be protected by the policy. Based on contentformat, wildcards may be supported. The Security Policy drop-down isused to select the appropriate policy. If desired, the user can set arange of time for which the policy will be valid, using the Start/EndDate/Time functionality. The user can click an Add Path button to assignthe policy. The defined path (that the policy targets) is then displayedin the table at the bottom of the tab. The above-described steps arerepeated to assign additional policies. Using the interface, the usercan protect a different path of content with the same policy, protectthe same path of content with a different policy (e.g., at a laterdate), or the like. When the desired polices are assigned, the userselects the Save button. As a result, the association between the policyand the configuration exists in the Staging network and can be testedand/or verified. When the association is ready to be implemented in theProduction network, it is promoted by being assigned to the Productionnetwork.

As will be described in more detail below, the output of this process isan ESI fragment (or secure database entry) that maps a configuration tothe policy. At runtime, this information is then stitched to appropriatesecurity feature logic (defined in edge server metadata) to enforce apolicy decision. That process is described below.

Although not a limitation, when using the functionality in this tab toassign policies, SPE may enforce certain precedence rules in the eventthat multiple policies target the same content, or Start/End Time rangeconflicts. Preferably, protections take effect by most specific and donot merge. Thus, if the user assigns a policy to a folder that utilizesME, and then assigns a policy that does not use ME to an individual filein that folder, the policy set for the file will take precedence. Also,preferably time-based assignments take precedence over those that do notincorporate a range. Also, preferably date/time assignment overlaps maybe handled as follows. Preferably, duplicate paths cannot exist withinthe same time period. Thus, for example, once the user inputs a specificPath/URL Wildcard and applied a Start/End Date/Time range, that samepath cannot be applied within that same time period. Also, according tothis precedence rule, End Date/Time is not inclusive. Thus, the end usercan set two different Start/End Date/Time ranges of protection for thesame path of content (e.g., to protect the same path of content with twodifferent security policies over two different ranges of time.

Once a policy is created or edited, a user can navigate to a summarypage that shows the basic high level settings and the configurations towhich the policy is tied. The summary screen is shown (in a defaultsetting) in FIG. 5.

As seen in FIG. 5, the SPE provides individual configuration tabs foreach of the security services that are enabled for the account.

FIG. 6 illustrates a representative token authentication tab. Using thetab, the user can Enable Token Auth (to enforce this security in thepolicy), and set an Active Password that will be used for validation(i.e., the “trusted shared secret” used as the “key” in an HMAC, whengenerating the token). The Generate Active Password button is selectedto have a valid value automatically generated for the Active Passwordfield. The Char Long Field is used to input a value to serve as acharacter length for a password generated via the Generate ActivePassword button. A Transition Password is optional and can be used toinput a different “trusted shared secret” password that may be used as abackup. The Cycle Password button can be used to have the current ActivePassword value copied to the Transition Password field. The SegmentedContent Options are used to define how the password values establishedabove are to be applied. Settings are stored when the Save button isselected.

FIG. 7 illustrates a representative content targeting tab. Using thetab, the user can enable a security policy to permit/deny end usersaccess to content, using any of several methodologies (or acombination): geographic location, specific IP address, and referrer website. FIG. 7 illustrates the geo-location configuration tab. Thefunction is enabled by the user selecting the Enable GeoProtectionoption. This enables the configuration options, such as Location Type, adrop-down list that includes Countries (Default), Regions and Locations.The Available Locations window is populated with selectable entriesbased on which is specified in the Location Type drop-down. Using thisfunction, the user can define the limitation such as “Deny from theselocations” or “Allow only these locations.” Using additional controls,the user can “Override GEO Blocking” to override a “Deny” setting forindividual IP addresses within a specified country/region. The user alsocan select Redirect on Deny to specify a URL of a page that serves as a“deny” destination. FIG. 8 illustrates an Enable IP Access Lists optionthat is available from the content targeting tab. FIG. 9 illustrates anEnable Referrer Checking functionality that is available from thecontent targeting tab.

FIG. 10 illustrates a representative media encryption tab exposed in theeditor. Media encryption provides security by delivering “in thenetwork” encryption. Using this tab, the user can enable the service,specify the extent of the encryption coverage (full or partialencryption of the payload), specify the cipher (or use a default asspecified), and enable a group mode (which encrypts a portion of anoutput with a unique session key configurable as a number of bytes, andthen a remainder with a group key that is shared across users).

FIG. 11 illustrates a representative player verification tab exposed inthe editor. Player verification prevents unauthorized players fromplaying protected content. The option is selected by the user checkingthe Enable Player Verification checkbox. If desired, the user can clickEnable Support Player Bypass to temporarily enable a test player for usein testing the security. The Approved Players frame identifies theplayers that have been configured. As a player is added, it is enabledby selecting a checkbox. A player may be included by calling out itshash equivalent (e.g., using a SHA-256 hash).

The above-described SPE display interfaces are not intended to belimiting. Any of the described features/options may be omitted, andothers may be included depending on the security service functionality.Other configuration tabs directed to other security services may beadded. Although not shown, the SPE will or may include other policy ormanagement tabs, such as a tab to promote a newly-created policy or anedited policy, a policy history tab, a change history tab, a policydelete tab, a policy clone tab, and the like. Also, there is norequirement that separate staging and production networks be used; thus,the SPE options may adjusted accordingly.

FIG. 12 illustrates the runtime processing of a security policyaccording to this disclosure. As noted above, a security policy and itsassociated parameters are created and saved (e.g., in a portaldatabase). These pre-configured values are pushed to an ESI fragment(e.g., one per policy) and stored. The result is a policy.esi fragmentthat is later used to return these parameters to a requesting GHostprocess running on an edge server (and that includes an ESI mechanism).As will be described, the parameters are then used by a static snippetof edge server metadata that contains the logic for enforcing thefeatures. Preferably, when a policy is assigned to a configuration (ashas been described above), the portal stores entries in a policy_map.esifile (one per customer) that is used by the GHost process fordetermining the policy to use for a particular request (by hostname andpath). The policy_map.esi is an ESI fragment that is one per customerand that stores the mapping assignments between policies andconfigurations. It accepts inputs of digital property and path, and usesthese values to determine the correct policy.esi to include. Thepolicy.esi is an ESI fragment that stores policy values, one perconfigured policy. The correct policy file is included by thepolicy_map.esi. Policies are stored in a data store, each preferablyencrypted with a cacheable key stored in a key managementinfrastructure. Rather than directly storing values (in a data drivensystem like a key management infrastructure), they may be defined intovariables in a small ESI fragment. When the fragment is executed in aGHost process, it simply places the parameters into response headers,which provides the GHost process a way to extract them into metadatavariables; the features are then enforced in metadata in a conventionalmanner.

Thus, in the ESI-based embodiment, preferably only static parameters(e.g., token salt, list of countries, lists of approved player hashes,etc.) are stored in the ESI. As noted in the previous paragraph, uponrequest (from GHost) these values are set into response headers andplugged into metadata variables. In this bifurcated approach, preferablythe logic for enforcing the security feature is coded in the securitymetadata, which is more static, and that is delivered to the variousGHost processes (e.g., using an appropriate metadata communicationchannel or other means). Thus, preferably the ESI only returns headersthat are used to populate variables in GHost metadata that are neededfor enforcement of security. Security metadata thus is relativelyslow-changing and may be maintained by the service provider. When acustomer begins using the service, a snippet of security metadata(corresponding to the provisioned security feature) is added to thecustomer's metadata configuration (that executes at the edge server).The security metadata should remain fairly static, as (according to thebifurcated approach herein) changes to security features and versioningare done independently. With this approach, the security parametersassociated with a particular security policy created through SPEpopulate metadata variables when the metadata is executed on the edge.

FIG. 12 illustrates this runtime request behavior for the ESIembodiment. At step (1), the policy saves the policy.esi file (one perpolicy). The policy_map.esi file (one per customer) is updated ifchanges are made to the associations of policy to deliveryconfiguration. At step (2), and after an end user has been associatedwith an edge server GHost process via DNS, the end user makes a requestto GHost for protected content. As has been described, access to thecontent is presumed to be controlled by a security service function forwhich security metadata has been provisioned (generally), and thesecurity metadata details the logic for how to perform the securitycheck required. Thus, at step (2), the metadata snippet for securityenforcement is pulled. At step (3), GHost makes a request topolicy_map.esi, using the appropriate query parameters for host, path,media format, and the like (included, for example, in a cache key). Atstep (4), the policy_map.esi determines the right policy to be used forthis request, and esi:includes it. At step (5), policy.esi is executed,and it returns response headers to GHost with the configured parameters,lists, and other data associated with the security policy. The outputmay be cached. At step (6), the metadata sets the variables using theinformation from the ESI response headers, and the remainder of thesecurity metadata template enforces the security feature (as describedin the logic). Once enforced, at step (7), the request continues (HTTP200) or fails (HTTP 403).

As shown in FIG. 12, the policy.esi and policy_map.esi fragments may bestored directly on a back-end data storage system, e.g., in a commonstorage group. Preferably, each customer has a unique ID assigned tothem by the portal.

Thus, in the embodiment shown in FIG. 12, SPE employs a set of ESI-basedpolicy files to near-instantly modify behavior of requests, enabling ordisabling a multitude of media security features. While this approachworks well, other approaches for storing and delivering (to therequesting GHost process) the policy-specific information may beutilized. In one alternative approach, virtually all policy logic istranslated into a compiled form that can be executed remotely. Thisapproach streamlines the execution path. Headers (with the relevantsecurity policy data) are still provided to trigger behavior ofpredefined security metadata (as in the ESI embodiment), but there is norequirement to interpret and execute ESI on each hit. Rather, in thisapproach, these headers are provided by making a single (remoteprocedure) call to a “decider” tier (external to GHost) that executesthe precompiled code and returns the headers directly. The pre-compileddecision tree (which in effect contains all matches expressed in thepolicy_map file) can by dynamically zoned to different edge serverregions to selectively test new policy logic with specific geographicregions. Also, the footprint needed to store the pre-compiled decisiontree is much smaller than that needed in the ESI approach. Thisalternative approach also provides operational advantages because it isrelatively easy to do the zoning, loading and execution of thisprecompiled code in the supporting infrastructure.

The approach described herein has many advantages. When the portal (SPE)accepts user input, it can validate that the values are correctlyformatted and that the parameters entered are otherwise acceptable.Meanwhile, the edge server-supported security metadata can itself bestructured to validate the values returned in ESI headers prior tosetting/using the variables. As noted, in this approach, the metadata(the logic behind a security feature) is fairly static so that is can becarefully constructed, tested, validated, and quality assured beforebeing pushed out for use. Moreover, by executing the security policy atruntime in the manner described, the policy enforcement is moreefficient in terms of computation and storage.

The fast changing ESI tier (or, alternatively, the pre-compiled decisiontree and data store) can reach very quickly to customer changes withminimal risk, as the more complex logic (which is more susceptible tohuman error or integration challenges with other components) iscontained in the security metadata. This architecture allows for fastiterative testing of changes, and for fast reaction to security breachesor incidents. This tier also can be used to apply additional dynamiclogic as needed, for example, to vary the enforcement of features basedon the geographic location of the server or end user, user-agent orother information carried with the request, or to isolate changes intodynamically-allocated zones of edge servers for safe roll-out withoutimmediately impacting all customer traffic.

The SPE may be extended to provide additional interfaces andfunctionality. For example, the application may be configured to enablea user is given control to dynamically configure the execution ofpolicies, such as the order and timing for policies to be deployed tothe network. Using this feature, a user can stage the deployment ofparticular policies in functional or geographic zones based, forexample, on characteristics of the network, or the user-agent, or thelike.

In a representative implementation, the subject functionality isimplemented in software, as computer program instructions executed by aprocessor.

More generally, the techniques described herein are provided using a setof one or more computing-related entities (systems, machines, processes,programs, libraries, functions, or the like) that together facilitate orprovide the described functionality described above. In a typicalimplementation, a representative machine on which the software executescomprises commodity hardware, an operating system, an applicationruntime environment, and a set of applications or processes andassociated data, that provide the functionality of a given system orsubsystem. As described, the functionality may be implemented in astandalone machine, or across a distributed set of machines. Thefunctionality may be provided as a service, e.g., as a SaaS solution.

While the above describes a particular order of operations performed bycertain embodiments of the invention, it should be understood that suchorder is exemplary, as alternative embodiments may perform theoperations in a different order, combine certain operations, overlapcertain operations, or the like. References in the specification to agiven embodiment indicate that the embodiment described may include aparticular feature, structure, or characteristic, but every embodimentmay not necessarily include the particular feature, structure, orcharacteristic.

While the disclosed subject matter has been described in the context ofa method or process, the subject disclosure also relates to apparatusfor performing the operations herein. This apparatus may be speciallyconstructed for the required purposes, or it may comprise ageneral-purpose computer selectively activated or reconfigured by acomputer program stored in the computer. Such a computer program may bestored in a computer readable storage medium, such as, but is notlimited to, any type of disk including an optical disk, a CD-ROM, and amagnetic-optical disk, a read-only memory (ROM), a random access memory(RAM), a magnetic or optical card, or any type of media suitable forstoring electronic instructions, and each coupled to a computer systembus. While given components of the system have been describedseparately, one of ordinary skill will appreciate that some of thefunctions may be combined or shared in given instructions, programsequences, code portions, and the like.

Preferably, the functionality is implemented in an application layersolution, although this is not a limitation, as portions of theidentified functions may be built into an operating system or the like.

The functionality may be implemented with other application layerprotocols besides HTTP, such as HTTPS, or any other protocol havingsimilar operating characteristics.

There is no limitation on the type of computing entity that mayimplement the client-side or server-side of the connection. Anycomputing entity (system, machine, device, program, process, utility, orthe like) may act as the client or the server.

What is claimed is as follows:
 1. A policy management system comprisinga set of computing machines, the system comprising: a staging networkcomprising a first machine for providing a web-based application havinga display interface having a set of management tabs, the management tabincluding an editor interface that receives information specifying astaging instance of a policy, the staging network further including atleast one other machine on which the staging instance of the policy istested, the display interface further configured to receive a command topromote the policy from the staging network to a production networkfollowing testing; and the production network comprising a decider tier,and a second machine at which the policy is enforced, the decider tiercomprising a data store that stores a precompiled version of the policythat has been tested and promoted from the staging network to theproduction network, the precompiled version of the policy comprising adecision tree; wherein the second machine enforces the policy at leastin part by issuing a remote procedure call to the decider tier andreceiving a response, wherein the response is generated at the decidertier by executing the precompiled version of the policy.
 2. The policymanagement system as described in claim 1 wherein the informationspecifying the staging instance of the policy comprises a path valuethat points to content in a customer configuration that is to beprotected by the policy.
 3. The policy management system as described inclaim 1 wherein the information specifying the staging instance of thepolicy comprises a range of time for which the policy will be valid. 4.The policy management system as described in claim 1 wherein theinformation specifying the staging instance of the policy comprises apolicy history.
 5. The policy management system as described in claim 1wherein the information specifying the staging instance of the policycomprises a set of features active and enabled for the policy.
 6. Thepolicy management system as described in claim 5 wherein the set offeatures comprises one of: token authentication, content targeting,media encryption, and media player verification.
 7. The policymanagement system as described in claim 1 wherein the second machinecomprises an edge server of an overlay network.
 8. The policy managementsystem as described in claim 1 wherein the information comprisescustomer-specific parameters received via the display interface.
 9. Thepolicy management system as described in claim 1 wherein the policy is asecurity policy.
 10. The policy management system as described in claim1 wherein the information specifying the staging instance of the policycomprises an assignment of the policy to a media player component. 11.The policy management system as described in claim 1 wherein the editorinterface enables security features to be configured for given contentindependently of a delivery configuration for the given content.
 12. Thepolicy management system as described in claim 1 wherein the secondmachine stores a template, the template defining logic to perform asecurity operation, the logic being common to at least a set of contentproviders that use the system to deliver their content, wherein, uponreceipt at the second machine of a request to access content that isprotected by a given one of the policies and a determination that therequest includes data that is matched for a particular content providerand the information defining the policy, the information is retrievedand applied by setting at least one variable defined in the policy intothe template to enforce the policy with respect to the request.